Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2026-03-04T12:19:46+00:00 2026-03-04T12:19:46+00:00 Ruipeng Qi ruipengqi3@gmail.com 2026-02-03T02:03:58+00:00 urn:sha1:88d5b28f63c7aac1271784e3b800ed405d1cde75 [ Upstream commit 05363abc7625cf18c96e67f50673cd07f11da5e9 ] In persistent_ram_vmap(), vmap() may return NULL on failure. If offset is non-zero, adding offset_in_page(start) causes the function to return a non-NULL pointer even though the mapping failed. persistent_ram_buffer_map() therefore incorrectly returns success. Subsequent access to prz->buffer may dereference an invalid address and cause crashes. Add proper NULL checking for vmap() failures. Signed-off-by: Ruipeng Qi <ruipengqi3@gmail.com> Link: https://patch.msgid.link/20260203020358.3315299-1-ruipengqi3@gmail.com Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-02-26T23:00:50+00:00 Sai Ritvik Tanksalkar stanksal@purdue.edu 2026-02-01T13:22:40+00:00 urn:sha1:7cfe964e61c0ab667abd5f5b68e0acbf783efa4f [ Upstream commit 5669645c052f235726a85f443769b6fc02f66762 ] persistent_ram_save_old() can be called multiple times for the same persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz for PSTORE_TYPE_DMESG records). Currently, the function only allocates prz->old_log when it is NULL, but it unconditionally updates prz->old_log_size to the current buffer size and then performs memcpy_fromio() using this new size. If the buffer size has grown since the first allocation (which can happen across different kernel boot cycles), this leads to: 1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls 2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer using the incorrect (larger) old_log_size The KASAN splat would look similar to: BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x... Read of size N at addr ... by task ... The conditions are likely extremely hard to hit: 0. Crash with a ramoops write of less-than-record-max-size bytes. 1. Reboot: ramoops registers, pstore_get_records(0) reads old crash, allocates old_log with size X 2. Crash handler registered, timer started (if pstore_update_ms >= 0) 3. Oops happens (non-fatal, system continues) 4. pstore_dump() writes oops via ramoops_pstore_write() size Y (>X) 5. pstore_new_entry = 1, pstore_timer_kick() called 6. System continues running (not a panic oops) 7. Timer fires after pstore_update_ms milliseconds 8. pstore_timefunc() → schedule_work() → pstore_dowork() → pstore_get_records(1) 9. ramoops_get_next_prz() → persistent_ram_save_old() 10. buffer_size() returns Y, but old_log is X bytes 11. Y > X: memcpy_fromio() overflows heap Requirements: - a prior crash record exists that did not fill the record size (almost impossible since the crash handler writes as much as it can possibly fit into the record, capped by max record size and the kmsg buffer almost always exceeds the max record size) - pstore_update_ms >= 0 (disabled by default) - Non-fatal oops (system survives) Free and reallocate the buffer when the new size differs from the previously allocated size. This ensures old_log always has sufficient space for the data being copied. Fixes: 201e4aca5aa1 ("pstore/ram: Should update old dmesg buffer before reading") Signed-off-by: Sai Ritvik Tanksalkar <stanksal@purdue.edu> Link: https://patch.msgid.link/20260201132240.2948732-1-stanksal@purdue.edu Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-12-05T22:36:21+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-05T22:36:21+00:00 urn:sha1:7cd122b55283d3ceef71a5b723ccaa03a72284b4 Pull persistent dentry infrastructure and conversion from Al Viro: "Some filesystems use a kinda-sorta controlled dentry refcount leak to pin dentries of created objects in dcache (and undo it when removing those). A reference is grabbed and not released, but it's not actually _stored_ anywhere. That works, but it's hard to follow and verify; among other things, we have no way to tell _which_ of the increments is intended to be an unpaired one. Worse, on removal we need to decide whether the reference had already been dropped, which can be non-trivial if that removal is on umount and we need to figure out if this dentry is pinned due to e.g. unlink() not done. Usually that is handled by using kill_litter_super() as ->kill_sb(), but there are open-coded special cases of the same (consider e.g. /proc/self). Things get simpler if we introduce a new dentry flag (DCACHE_PERSISTENT) marking those "leaked" dentries. Having it set claims responsibility for +1 in refcount. The end result this series is aiming for: - get these unbalanced dget() and dput() replaced with new primitives that would, in addition to adjusting refcount, set and clear persistency flag. - instead of having kill_litter_super() mess with removing the remaining "leaked" references (e.g. for all tmpfs files that hadn't been removed prior to umount), have the regular shrink_dcache_for_umount() strip DCACHE_PERSISTENT of all dentries, dropping the corresponding reference if it had been set. After that kill_litter_super() becomes an equivalent of kill_anon_super(). Doing that in a single step is not feasible - it would affect too many places in too many filesystems. It has to be split into a series. This work has really started early in 2024; quite a few preliminary pieces have already gone into mainline. This chunk is finally getting to the meat of that stuff - infrastructure and most of the conversions to it. Some pieces are still sitting in the local branches, but the bulk of that stuff is here" * tag 'pull-persistency' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (54 commits) d_make_discardable(): warn if given a non-persistent dentry kill securityfs_recursive_remove() convert securityfs get rid of kill_litter_super() convert rust_binderfs convert nfsctl convert rpc_pipefs convert hypfs hypfs: swich hypfs_create_u64() to returning int hypfs: switch hypfs_create_str() to returning int hypfs: don't pin dentries twice convert gadgetfs gadgetfs: switch to simple_remove_by_name() convert functionfs functionfs: switch to simple_remove_by_name() functionfs: fix the open/removal races functionfs: need to cancel ->reset_work in ->kill_sb() functionfs: don't bother with ffs->ref in ffs_data_{opened,closed}() functionfs: don't abuse ffs_data_closed() on fs shutdown convert selinuxfs ... 2025-11-16T06:35:03+00:00 Al Viro viro@zeniv.linux.org.uk 2024-05-09T07:01:37+00:00 urn:sha1:eec876df5e7647bca03b72e0bcecb2e8bf0390a5 object creation by d_alloc_name()+d_add() in pstore_mkfile(), removal - via normal VFS codepaths (with ->unlink() using simple_unlink()) or in pstore_put_backend_records() via locked_recursive_removal() Replace d_add() with d_make_persistent()+dput() - that's what really happens there. The reference that goes into record->dentry is valid only until the unlink (and explicitly cleared by pstore_unlink()). Reviewed-by: Kees Cook <kees@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2025-10-23T15:56:04+00:00 Tzung-Bi Shih tzungbi@kernel.org 2025-10-23T14:37:55+00:00 urn:sha1:b692553573683b9e4ebab40c2782a3163f984cfd Update module parameters `mem_type` and `ramoops_ecc` from platform data so that they are available through /sys/module/ramoops/parameters/. `ramoops_dump_oops` isn't included as it has been deprecated. Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Link: https://patch.msgid.link/20251023143755.26204-1-tzungbi@kernel.org Signed-off-by: Kees Cook <kees@kernel.org> 2025-09-30T01:08:34+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-09-30T01:08:34+00:00 urn:sha1:e129e479f2e444eaccd822717d418119d39d3d5c Pull tiny pstore update from Kees Cook: - Clarify various comments for better understanding (Eugen Hristev) * tag 'pstore-v6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: pstore/zone: rewrite some comments for better understanding 2025-09-15T14:09:42+00:00 Mateusz Guzik mjguzik@gmail.com 2025-09-15T12:57:29+00:00 urn:sha1:f99b3917789d83ea89b24b722d784956f8289f45 generic_delete_inode() is rather misleading for what the routine is doing. inode_just_drop() should be much clearer. The new naming is inconsistent with generic_drop_inode(), so rename that one as well with inode_ as the suffix. No functional changes. Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-07-03T02:36:51+00:00 Al Viro viro@zeniv.linux.org.uk 2025-03-10T04:34:08+00:00 urn:sha1:7b7a8ca43fcf027f8aabd7c0629c2d39bfd97300 rather than playing with manual d_invalidate() Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2025-05-09T19:09:58+00:00 Eugen Hristev eugen.hristev@linaro.org 2025-01-17T08:42:28+00:00 urn:sha1:d679c2e1e8d96f71f85e2ef3877407d264212cc3 Rewrite some comments to make it more clear and easier to understand; fix typos. Signed-off-by: Eugen Hristev <eugen.hristev@linaro.org> Link: https://lore.kernel.org/r/20241224154405.295840-1-eugen.hristev@linaro.org Link: https://lore.kernel.org/r/20250117084228.3218024-1-eugen.hristev@linaro.org Signed-off-by: Kees Cook <kees@kernel.org> 2025-04-05T08:30:12+00:00 Thomas Gleixner tglx@linutronix.de 2025-04-05T08:17:26+00:00 urn:sha1:8fa7292fee5c5240402371ea89ab285ec856c916 timer_delete[_sync]() replaces del_timer[_sync](). Convert the whole tree over and remove the historical wrapper inlines. Conversion was done with coccinelle plus manual fixups where necessary. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Ingo Molnar <mingo@kernel.org>